Merge pull request #59 from minrk/state-outside

move state outside envs

tljh/installer.py

@@ -1,18 +1,20 @@
-import sys
+import argparse
 import os
-import tljh.systemd as systemd
-import tljh.conda as conda
+import secrets
+import subprocess
+import sys
+import time
 from urllib.error import HTTPError
 from urllib.request import urlopen, URLError
-from tljh import user
-import secrets
-import argparse
-import time
+
 from ruamel.yaml import YAML
 
+from tljh import conda, systemd, user
+
 INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')
 HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')
 USER_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'user')
+STATE_DIR = os.path.join(INSTALL_PREFIX, 'state')
 
 HERE = os.path.abspath(os.path.dirname(__file__))
 
@@ -38,16 +40,16 @@ def ensure_jupyterhub_service(prefix):
     systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))
     systemd.reload_daemon()
 
+    os.makedirs(STATE_DIR, mode=0o700, exist_ok=True)
+
     # Set up proxy / hub secret oken if it is not already setup
-    # FIXME: Check umask here properly
-    proxy_secret_path = os.path.join(INSTALL_PREFIX, 'configurable-http-proxy.secret')
+    proxy_secret_path = os.path.join(STATE_DIR, 'configurable-http-proxy.secret')
     if not os.path.exists(proxy_secret_path):
         with open(proxy_secret_path, 'w') as f:
             f.write('CONFIGPROXY_AUTH_TOKEN=' + secrets.token_hex(32))
         # If we are changing CONFIGPROXY_AUTH_TOKEN, restart configurable-http-proxy!
         systemd.restart_service('configurable-http-proxy')
 
-    os.makedirs(os.path.join(INSTALL_PREFIX, 'hub', 'state'), mode=0o700, exist_ok=True)
     # Start CHP if it has already not been started
     systemd.start_service('configurable-http-proxy')
     # If JupyterHub is running, we want to restart it.
@@ -192,6 +194,9 @@ def main():
 
     ensure_usergroups()
     ensure_user_environment(args.user_requirements_txt_url)
+    # Weird setuptools issue creates a few world-writable metadata files.
+    # Fix it:
+    subprocess.check_call(["chmod", "-R", "o-w", os.path.join(HUB_ENV_PREFIX, "pkgs")])
 
     print("Setting up JupyterHub...")
     ensure_jupyterhub_package(HUB_ENV_PREFIX)

tljh/systemd-units/configurable-http-proxy.service

@@ -14,7 +14,7 @@ PrivateTmp=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
-EnvironmentFile={install_prefix}/configurable-http-proxy.secret
+EnvironmentFile={install_prefix}/state/configurable-http-proxy.secret
 # Set PATH so env can find correct node
 Environment=PATH=$PATH:{install_prefix}/hub/bin
 ExecStart={install_prefix}/hub/bin/configurable-http-proxy \

tljh/systemd-units/jupyterhub.service

@@ -10,14 +10,14 @@ User=root
 Restart=always
 # jupyterhub process should have no access to home directories
 ProtectHome=tmpfs
-WorkingDirectory={install_prefix}/hub/state
+WorkingDirectory={install_prefix}/state
 # Protect bits that are normally shared across the system
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 # Source CONFIGPROXY_AUTH_TOKEN from here!
-EnvironmentFile={install_prefix}/configurable-http-proxy.secret
+EnvironmentFile={install_prefix}/state/configurable-http-proxy.secret
 Environment=TLJH_INSTALL_PREFIX={install_prefix}
 ExecStart={python_interpreter_path} -m jupyterhub.app -f {jupyterhub_config_path}